Exploiting the randomness of the measurement basis in quantum cryptography: 
Secure Quantum Key Growing without Privacy AmpHfication 
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We suggest that the randomness of the choices of measurement basis by Alice and Bob provides 
an additional important resource for quantum cryptography. As a specific application, we present a 
novel protocol for quantum key distribution (QKD) which enhances the BB84 scheme by encrypting 
the information sent over the classical channel during key sifting. We show that, in the limit of long 
keys, this process prevents an eavesdropper from reproducing the sifting process carried out by the 
legitimate users. The inability of the eavesdropper to sift the information gathered by tapping the 
quantum channel reduces the amount of information that an eavesdropper can gain on the sifted 
key. We further show that the protocol proposed is self sustaining, and thus allows the growing of 
a secret key. 
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INTRODUCTION 

Quantum cryptography 0| was first described by Ben- 
nett and Brassard |2| in 1984. Their protocol, commonly 
called BB84, is still the most widely used protocol for 
quantum cryptography today. Its simplicity, its proven 
securityjaland its_nossibility to be extended to entangled 
photons jj, Id l3i 1^ has contributed to its widespread 
use. 

BB84 describes a protocol for growing a large secret 
key between two communicating parties starting from a 
smaller shared secret. The processing of the raw data 
found in BB84 requires several steps including key sift- 
ing, error correction and privacy amplification. In BB84 
privacy amplification [9] allows to generate a secure key 
starting from a key that might be partially known by a 
possible eavesdropper. This increase in security comes at 
the expense of the final key length. 

The basic idea of the present paper is to exploit a re- 
source which, though present in all existing protocols, has 
sofar not been utilized to the full extent. The random- 
ness of the basis choices of both legitimate parties is an 
important resource as it is a sequence of perfect random 
numbers. In current quantum cryptography protocols it 
is simply used to choose the basis for both, preparation 
and measurement of quantum states. We suggest that 
this sequence can be further exploited. For example it 
might be used for the encryption of data transmitted be- 
tween the legitimate parties. 

As an explicit example of the idea, we present here a 
modification to the BB84 protocol that reduces the infor- 
mation the eavesdropper can obtain on the sifted key. It 
seems that this reduction scales with the length of the raw 
key, which would imply that the information of an eaves- 
dropper on the sifted key can be made arbitrarily small. 
Even though a complete security proof is not given, we 
suspect that our protocol can work at higher quantum bit 
error rate (QBER) compared to privacy amplification at 



the same security level. This advantage is gained by fur- 
ther exploiting the randomness of the measurement basis 
choices, more than has been done in BB84. 



THE PROTOCOL 

Our protocol can be seen as an extension of the BB84 
protocol in the sense that the production of the raw key 
is identical to the production in the original BB84. This 
makes it applicable to both, QKD based on single pho- 
tons, as well as entangled state QKD Q|. In the analysis 
of our protocol, we start with from the original BB84 
scheme. However, our protocol can easily be extended to 
the case of entangled qubit quantum cryptography, and 
probably many other quantum cryptography systems. 

The two legitimate communicating parties, called Alice 
and Bob, establish a common secret key in the following 
way. Alice prepares a state in a two dimensional Hilbert 
space using one of two mutually conjugate basis sets and 
sends it to Bob. In each basis, one basis vector is at- 
tributed to the classical bit value "0", the other to the bit 
value "1". The choice of the basis used, and the bit value 
sent, are both assumed to be completely random. 

Upon reception of the state, Bob randomly measures 
the state in one of the two bases and stores the result 
together with his choice of basis used. Now both parties 
possess a table consisting of entries for each state trans- 
mitted. This table is called the raw key. Up to this point, 
our protocol is identical to the BB84 protocol described 
ini. 

Once the raw key is produced it is sifted, which was 
done in BB84 by publicly announcing the measurement 
basis on a classical channel and keeping only the mea- 
surement results where Alice and Bob happened to have 
chosen the same basis (see Figure QJi)- We have strong 
indications, that this pubhc announcement of the mea- 
surement bases reveals more information about the sifted 



2 



key to an eavesdropper than is necessary for establish- 
ing a secure key between the two legitimate parties. To 
overcome this potential weakness of the existing proto- 
cols, a modification of the basis reconciliation process, 
which does not publicly announce the measurement ba- 
sis, is necessary. Note that unlike in other protocols that 
omit a public basis announcement here the encoding 
and receiving bases have been chosen randomly for every 
transmitted qubit. 

Now consider the following situation: The two legit- 
imate communicating parties, AHce and Bob, have just 
produced a raw key of length n. Thus, Alice possesses 
a list containing her random preparation basis and the 
random value of the qubit transmitted at each particular 
basis choice. Likewise Bob possesses a list containing his 
random measurement basis and the corresponding ran- 
dom measurement result for each qubit received. Every 
entry in these lists represent a single transmitted qubit 
and can be expressed in two bits of classical information, 
one for the basis that has been used (Bi), the other (Ki) 
for the prepared bit value or the outcome of the mea- 
surement. Every entry of the list can thus be written as 

{Bp^i.Kp^i) p = Alice, Bob i = 0, l,...,n (1) 

with Bp^i and Kp^i being single bit values. Additionally 
Alice and Bob share a classical secret Si...2n- This 2n bit 
secret string has to be available to Alice and Bob before 
the protocol starts. For the further usage it is split into 
two parts of equal length ^auco,!...™ and S'Bob,i...n- 

The sifting process now works as follows (see Figure 
nj)). Alice and Bob each apply an XOR operation be- 
tween their local list BAiico.i (i?Bob,i) and S'auco.i {S'Boh,i) 
to produce a message MAiicc,i (AfBob.i), in other words 

Mp^i = Bp^i XOR Sp^i (2) 

The two computed messages {Mp^i) are then exchanged 
over a classical channel. Upon reception, Alice and Bob 
can decode the message of their communication partner 
and regain the original list of bases by applying the in- 
verse operation 

Bp^i — Mp^i XOR Sp^i (3) 

After this decoding step, Alice and Bob both have infor- 
mation on both lists of bases BAiico.i and SBob.i- Thus, 
they can now remove all entries of their record where 

-BAlicci i= BBoh,i ■ (4) 

The eavesdropper, called Eve from now on, can not re- 
produce this step, because she does not have the shared 
secret Sp.i. This means that even if she has done some 
sort of eavesdropping on the quantum channel, her infor- 
mation on the sifted key is less than in the case of the 



original BB84 protocol, as she can not correctly sift the 
key with certainty. 

Once the sifting process is completed, Alice and Bob 
share a sifted key, which usually contains errors. In or- 
der to generate a secure key, which can in turn be used 
for secure transmission of data, this error has to be es- 
timated and corrected!^. After error estimation and 
error correction, a secure key is generated from the error- 
free sifted key. In BB84 this is done by using a classical 
privacy amplification protocol, which washes out the in- 
formation a possible eavesdropper could have obtained 
on the key by measurements on the quantum channel. In 
this step the final key is reduced in length depending on 
the amount of information an eavesdropper could possess 
of the error corrected sifted key. 

We will show that in our case the encryption of the 
classical channel during basis reconciliation reduces the 
amount of information an eavesdropper can get on the 
sifted key. Even though we do not have a complete quan- 
titative description of this reduction of information ac- 
cessible to Eve, we suspect that the additional privacy 
amplification step might not be required under certain 
conditions. One has to keep in mind, that the preshar- 
ing of a secret string does not represent a disadvantage 
compared to BB84, where a shared key is required for 
authentication of the classical channel • 

After the secret key has been established between Al- 
ice and Bob, the protocol starts anew with the trans- 
mission and measurement of qubits over the quantum 
channel. During the new run of the protocol, the shared 
secret {Sp^i) used to encrypt the basis exchange has to be 
reused. It is therefore necessary to quantify the amount 
of information an eavesdropper can gain about the shared 
secret during a single run of the protocol. In general the 
upper bound for this information gain depends on the 
quantum bit error rate (QBER) as we will discuss in the 
next section. To sustain the secrecy of the shared secret 
it is therefore necessary to subsequently refresh the se- 
crecy of the initial shared secret after every run of the 
protocol. 

SECURITY CONSIDERATIONS 

The protocol presented in the last section reduces the 
possible knowledge an eavesdropper can obtain on the 
sifted key that is estabHshed between Alice and Eve. In 
this section we try to quantify this reduction of informa- 
tion accessible to the eavesdropper. In the Hmiting case 
of long key length we find a strong indication that our 
protocol has an advantage over the existing combination 
of BB84 and privacy amplification. Considering that we 
use a resource that has not been used to the full extent 
in existing protocols, namely the randomness of the basis 
choices, it is reasonable that such an advantage exists. 

The security analysis is split in two parts. First we an- 
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Figure 1: (a) Sketch of the original BB84 sifting method. The bases used to encode and measure the qubits are 
transmitted unencrypted over the classical channel. Using the list of bases received from their respective 
communication partners, they can decide which qubits were encoded and measured in compatible bases and 
therefore contribute to the sifted key. (b) Sketch of the protocol proposed in this paper. (1) Additionally to the lists 

of BB84, Alice and Bob both possess a preshared secret that is split into two parts, S'aiicc, and S'sob- (2) The 
information which basis was used during each individual measurement is encrypted before it is sent over the classical 
channel using the shared secret. This is done by applying a logic XOR between the list of bases and a part of the 
shared secret. This encryption of the encoding and measurement bases renders it impossible for a third party to 
correctly sift measurement results obtained from eavesdropping on the quantum channel. For the protocol to be 
secure it is mandatory that Alice and Bob use different parts of the shared secret and that for successive runs of the 
protocol, the secrecy of the shared secret has to be continuously refreshed. 



alyze the amount of information about the shared secret 
that can be extracted from a single cycle of the protocol. 
If this amount of information is smaller than the final 
sifted key, then it is possible to grow a longer shared key 
with our protocol. In the second part, we analyze the 
case where Eve has no information on the shared secret 
and thus has to sift her measurement results without any 
knowledge on the basis used by Alice and Bob. 



Plaintext Attack 

For the security of the proposed protocol, it is impor- 
tant that the shared secret can not be determined by 
analysis of the messages Mauccj and MBob,i and any 
resources that are accessible to an eavesdropper. This 
includes the ciphertext (Ci) that is finally sent by Alice 
to Bob after a secret key has been established and full 
knowledge of the plaintext (Pi) that has been transmit- 
ted with this key. These two resources enable Eve to 
gain full knowledge of the key that has been used to send 
the message. This can be seen by the fact that, using 
the Vernam cipher the ciphertext is usually created 
from the plaintext by 

a = Pt XOR Kf"^ (5) 



and thus, 

P, = a XOR Kf^'"^ . (6) 

To simplify the further treatment, we assume that Eve 
has full information on the raw key. This can be written 

as 

BEvc,i = PAlico,i Or i?EvG,i = ^Bob.i (7) 

and 

-SBob.i = -BAlice.i KEve,i = KAlice,i = KBoh,i ■ (8) 

Note that this assumption provides Eve with more in- 
formation than she could obtain with any eavesdropping 
scheme. For a detailed security analysis one would have 
to drop this assumption and introduce a quantum bit er- 
ror rate dependent probability for Eve to have correct bit 
value for each position in the raw key. However in our 
proof of principle analysis is suffices to assume that Eve 
has complete knowledge of the raw key. 

We now assume that the sifted key consists of exactly 
half the number of bits of the raw key, as this is the 
case with the highest probability. In this case there exist 
(2) functions that represent a possible sifting method 
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(see Figure EJ: 

f : (i^p,i, . . . , Xp,„) {Kf"^", . . . , Kf^^) 

(9) 

It is easy to see that knowledge on the sifting function 
/ that was used to create the sifted key, is equivalent to 
knowledge of shared secret Sj that has been used during 
basis reconciliation. 

Without any knowledge of the raw key, thus in the 
case where Eve does not extract any information form 
the quantum channel. Eve can gain no information about 
the used sifting function and therefore about the shared 
secret. 




Figure 2: There exist (2) sifting functions that map an 

2' 

n-bit raw key to a ^-bit sifted key. 



and we get an information gain of 

ff^iog,(:)-iog.f (15) 

Because this information gain has been derived for the 
case where the eavesdropper has full information on the 
raw key, this represents the upper bound on the informa- 
tion an eavesdropper can gain on the shared secret. To 
sustain the secrecy of the shared secret, the legitimate 
parties have to use this amount of bits from the gener- 
ated sifted key to refresh the shared secret. In our case 
this would leave the legitimate parties not a single bit for 
secret communication. However, this derivation is based 
on the unreaHstic assumption that Eve possesses full in- 
formation on the raw key. One can therefore conclude 
that the maximal amount of information on the shared 
secret in a realistic eavesdropping scheme is less than the 
value obtained here. This strongly suggests that it is pos- 
sible to use the protocol proposed in this paper for secure 
quantum key growing. 

Again, we would like to stress that the security anal- 
ysis presented is based on assumption , which gives 
the eavesdropper much more information on the raw key 
than is possible for any eavesdropping strategy. 



However, if Eve has maximal information on the raw 
key as assumed in Q and lO, she can try out all possi- 
ble sifting functions with her own raw key, and exclude 
all functions that do not reproduce the sifted key, 
she knows from her plaintext analysis. This reduces the 
number of possible sifting functions to 
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< a < 1 



(10) 



which is still exponentially growing with the key length 
n. 

This reduction in the number of sifting functions can 
be written as a gain of information / on the shared secret, 
by calculating the difference in the Shannon entropy with 
and without ruling out the sifting functions that do not 
reproduce the final sifted key: 



^apostcriori 



with 



(11) 



(12) 



Assuming that all sifting functions are equally likely, 

Pi=p (13) 

this reduces to 



H 



(14) 



Sifting without Basis Information 

In the last section we showed that even under the as- 
sumption that Eve has maximal knowledge on the raw 
key and the transmitted plaintext, the produced sifted 
key is sufficiently large to sustain the secrecy of the 
shared secret. We now want to show that the unavail- 
ability of the basis information can drastically reduce the 
probability to obtain the correct sifted key. 

Let us now consider the case where Eve does a simple 
intercept and resend eavesdropping strategy on all 
qubits transmitted from Afice to Bob. If she uses the 
same two basis sets as Alice and Bob, the probability for 
having a correct final key bit is 75%, given that she has 
full basis information which is needed to sift her mea- 
surement results key. In our protocol, this information 
is not available to Eve, and thus a qubit intercepted in 
a compatible basis does not necessarily lead to a correct 
bit in the sifted key. This reduction in the probability 
to obtain a correct final key bit reduces the information 
accessible to Eve (see Figure 

The probability that a single bit Kf^^^°'^ of the sifted 
key is derived from a specific bit Ki in the raw key can 
be written by the binomial distribution 



iftcd 



Eve, 2 



) = 



i - 1 
I - 1 



(16) 



For a large number of /, this distribution can be approxi- 
mated by a Gaussian distribution centered aX i = 21 and 
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Figure 3: Without the complete basis information, the 
eavesdropper is presented with the following situation: 

For every bit of the sifted key, there is a certain 
probability that it was derived from a specific bit of the 
raw key. With increasing key length n, more and more 
raw key bits contribute with non-vanishing probability 
to the specific sifted key bit. This reduces the 
probability to conduct a vaHd sifting process and 
therefore reduces the information on the sifted key 
accessible to the eavesdropper. 
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The full width of half-maximum of this distribution 
can be seen as the number of basis pairs that contribute 
with a significant probability to the given sifted key value 
^sifted gy increasing the length n of the raw key, the 
information that Eve can extract from her measurement 
results can be in principle reduced arbitrarily. 



Authentication 

Until now we did not specify the requirements of the 
classical channel used in the proposed protocol. One of 
the important features of the classical channel in BB84 is 
message authentication. There, the authentication of the 
classical channel is crucial for the security of the protocol. 
Without authentication, a selective modification of the 
basis reconciliation process would allow an eavesdropper 
to decrease the detectable QBER and thus to hide the 
quantum error he introduced during the measurements 
on the quantum channel. 

In our protocol, this selective modification of the basis 
reconcihation process is not possible as the bases are en- 
crypted with the shared secret and therefore completely 
random. The plaintext attack does not work to gain 
information on the shared secret, because the basis ex- 
change takes place before the transmission of a cipher- 
text. However, any modification to a randomly encrypted 
message Mp ^ randomly changes the bases information 
Bp i and can therefore, in average, not lead to a decreased 
QBER. This is an indication, that our protocol could 
also work without authentication of the basis reconcili- 
ation process. However, until a proof is found for this 
argument we have to assume an authenticated classical 
channel. 



CONCLUSION 

We shown that the random basis choice in quantum 
cryptography is an important resource and can exploited 
more than has been done in existing protocols. Further- 
more we have presented a novel protocol for quantum key 
growing that makes use more extensively of the inherent 
randomness of basis choices already present in the case of 
the classical BB84 protocol. By encrypting the informa- 
tion on the classical channel during the sifting process, it 
is possible to arbitrarily reduce the mutual information 
between a possible eavesdropper and the legitimate par- 
ties. This is due to the fact, that the eavesdropper can 
not reproduce the sifting process even in the case where 
he has maximal information on the raw key, and partial 
knowledge of the final secret key. A complete security 
proof and comparison with the full BB84 protocol includ- 
ing error correction and privacy amplification has still to 
be constructed. However we suspect that our method has 
significant advantages in cases where the QBER is high 
and secure bit rates suffer from a heavy decrease due to 
privacy amplification. 
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